diff options
-rw-r--r-- | doc/server/encryption.txt | 209 | ||||
-rw-r--r-- | doc/server/index.txt | 1 | ||||
-rw-r--r-- | doc/server/plugins/connectors/properties.txt | 48 | ||||
-rw-r--r-- | doc/server/plugins/generators/cfg.txt | 64 | ||||
-rwxr-xr-x | src/lib/Bcfg2/Encryption.py | 149 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedCheetahGenerator.py | 6 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py | 31 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenshiGenerator.py | 26 | ||||
-rw-r--r-- | src/lib/Bcfg2/Server/Plugins/Properties.py | 61 | ||||
-rwxr-xr-x | src/sbin/bcfg2-crypt | 36 |
10 files changed, 446 insertions, 185 deletions
diff --git a/doc/server/encryption.txt b/doc/server/encryption.txt new file mode 100644 index 000000000..bc18e140c --- /dev/null +++ b/doc/server/encryption.txt @@ -0,0 +1,209 @@ +.. -*- mode: rst -*- + +.. _server-encryption: + +===================== +Bcfg2 Data Encryption +===================== + +.. versionadded:: 1.3.0 + +Bcfg2 supports encrypting some data on the disk, which can help +protect sensitive data from other people who need access to the Bcfg2 +repository but are perhaps not authorized to see all data. It +supports multiple passphrases, which can be used to enforce +separations between teams, environments, etc. + +.. note:: + + This feature is *not* intended to secure the files against a + malicious attacker who has gained access to your Bcfg2 server, as + the encryption passphrases are held in plaintext in + ``bcfg2.conf``. This is only intended to make it easier to use a + single Bcfg2 repository with multiple admins who should not + necessarily have access to each other's sensitive data. + +Two types of data can be encrypted: + +* :ref:`server-plugins-generators-cfg` files can be encrypted + as whole files. See :ref:`server-plugins-generators-cfg-encryption` + for more details. +* :ref:`server-plugins-connectors-properties` data can be encrypted on + a per-element basis. See + :ref:`server-plugins-connectors-properties-encryption` for more + details. + +In general, Properties encryption is preferred for a few reasons: + +* It plays nicely with your VCS. If you change an encrypted Cfg file, + then all you can see in your VCS log is that the file changed, no + details about how it changed. With an encrypted Properties file, + you can see which element changed (although obviously not the + changed content). +* It is faster when you have more than one passphrase. When + decrypting a Cfg file, Bcfg2 simply brute-forces it with all known + passphrases; when decrypting a Properties element, the passphrase is + given by name so only one passphrase must be tried. +* A Cfg file can only be encrypted with a single passphrase; + Properties files can use different passphrases for different + elements. If you are using different passphrases to segregate data + amongst different teams, this lets teams collaborate more closely on + files and other data. + +.. _bcfg2-crypt: + +bcfg2-crypt +=========== + +Encrypting and decrypting :ref:`server-plugins-generators-cfg` and +:ref:`server-plugins-connectors-properties` files can be done with the +``bcfg2-crypt`` tool, which mostly tries to do the right thing. I.e., +it encrypts plaintext files, decrypts encrypted files, and +automatically discovers if a file is Cfg or Properties. Its usage is +thus generally very simple, e.g.:: + + bcfg2-crypt foo.conf + bcfg2-crypt foo.xml + +Since the behavior of ``bcfg2-crypt`` varies significantly depending +on whether you are dealing with a Cfg or Properties files, these are +documented separately below. It's also well worthwhile to familiarize +yourself with the man page for ``bcfg2-crypt``. + +Encrypting Cfg Files +-------------------- + +To encrypt a Cfg file, you can simply run:: + + bcfg2-crypt foo.conf + +This will write the encrypted data to ``foo.conf.crypt``. Once you +are satisfied that the file has been encrypted as you wish, you can +remove the plaintext version, or you can use the ``--remove`` flag of +``bcfg2-crypt``. + +To decrypt a file, simply run ``bcfg2-crypt`` again:: + + bcfg2-crypt foo.conf.crypt + +On Cfg files, ``bcfg2-crypt`` is more-or-less equivalent to the +following commands (encryption and decryption, respectively):: + + openssl enc -aes-256-cbc -k <passphrase> -in foo.conf \ + -out foo.conf.crypt -a + openssl enc -d -aes-256-cbc -k <passphrase> -in foo.conf.crypt \ + -out foo.conf -a + +Those commands can be used in lieu of ``bcfg2-crypt`` if you hate +convenience. + +Encrypting Properties Files +--------------------------- + +To encrypt or decrypt a properties file, simply run:: + + bcfg2-crypt foo.xml + +If the top-level tag of a Properties file is not ``<Properties>``, +then you need to use the ``--properties`` flag to ``bcfg2-crypt``:: + + bcfg2-crypt --properties foo.xml + +The first time you run ``bcfg2-crypt`` on a Properties file, it will +encrypt all character data of all elements. Additionally, it will add +``encrypted="<key name>"`` to each element that has encrypted character +data. It also adds ``encryption="true"`` to the top-level +``<Properties>`` tag as a flag to the server that it should try to +decrypt the data in that file. (If you are using Properties schemas, +you will need to make sure to add support for these attributes.) On +subsequent runs, only those elements flagged with ``encrypted="*"`` +are encrypted or decrypted. + +To decrypt a Properties file, simply re-run ``bcfg2-crypt``:: + + bcfg2-crypt foo.xml + +This decrypts the encrypted elements, but it does *not* remove the +``encrypted`` attribute; this way, you can decrypt a Properties +file, modify the contents, and then simply re-run ``bcfg2-crypt`` to +encrypt it again. If you added elements that you also want to be +encrypted, you can either add the ``encrypted`` attribute to +them manually, or run:: + + bcfg2-crypt --xpath '*' foo.xml + +You can also use the ``--xpath`` option to specify more restrictive +XPath expressions to only encrypt a subset of elements, or to encrypt +different elements with different passphrases. Alternatively, you can +manally set the ``encrypted`` attribute on various elements and +``bcfg2-crypt`` will automatically do the right thing. You can also +run bcfg2-crypt in interactive mode to interactively select which +attributes should be encrypted:: + + bcfg2-crypt -I foo.xml + +If you want to use different passphrases within a single Properties +file, you must manually set the ``encrypted`` attribute. + +.. _server-encryption-configuration: + +Configuring Encryption +====================== + +Passphrases +----------- + +To configure encryption, add a ``[encryption]`` section to +``bcfg2.conf`` with any number of name-passphrase pairs. + +For instance:: + + [encryption] + foo_team=P4ssphr4se + bar_team=Pa55phra5e + +.. note:: + + The name of a passphrase **cannot** be "algorithm"; that + configuration option is reserved for configuring the cipher + algorithm. + +This would define two separate encryption passphrases, presumably for +use by two separate teams. The passphrase names are completely +arbitrary. + +Note that this does entail a chicken-and-egg problem. In order for +the Bcfg2 server to be able to decrypt encrypted files, the +passphrases must exist in ``bcfg2.conf`` in plaintext; but, if you're +encrypting data, presumably you don't want to include those plaintext +passphrases in your Bcfg2 repository, so you'll want to encrypt +``bcfg2.conf``. The best way to solve this is: + +#. On your Bcfg2 server, manually add the ``[encryption]`` section to + ``bcfg2.conf`` and restart the Bcfg2 server. +#. Update ``bcfg2.conf`` in your Bcfg2 repository with the + passphrases, and encrypt it. + +The first (manual) step breaks the mutual dependency. + +Algorithm +--------- + +By default, Bcfg2 uses the AES-256-CBC cipher algorithm. If you wish +to change this, you can set the ``algorithm`` option in the +``[encryption]`` section of ``bcfg2.conf``:: + + [encryption] + algorithm = bf_cbc + +The value of ``algorithm`` must be a valid OpenSSL cipher algorithm +according the naming model of the Python :mod:`M2Crypto` module. To +get a list of valid algorithms, you can run:: + + openssl list-cipher-algorithms | grep -v ' => ' | \ + tr 'A-Z-' 'a-z_' | sort -u + +Encryption API +============== + +.. automodule:: Bcfg2.Encryption diff --git a/doc/server/index.txt b/doc/server/index.txt index b28924034..505fc8004 100644 --- a/doc/server/index.txt +++ b/doc/server/index.txt @@ -32,3 +32,4 @@ clients. backends database caching + encryption diff --git a/doc/server/plugins/connectors/properties.txt b/doc/server/plugins/connectors/properties.txt index 9e1100610..0fb7e8511 100644 --- a/doc/server/plugins/connectors/properties.txt +++ b/doc/server/plugins/connectors/properties.txt @@ -171,7 +171,7 @@ in ``bcfg2.conf``:: [properties] writes_enabled = false -.. _server-plugins-connectors-properties-encrypted: +.. _server-plugins-connectors-properties-encryption: Encrypted Properties data ========================= @@ -180,10 +180,10 @@ Encrypted Properties data You can encrypt selected data in Properties files to protect that data from other people who need access to the repository. See -:ref:`server-plugins-generators-cfg-configuring-encryption` for -details on configuring encryption passphrases. The data is decrypted -transparently on-the-fly by the server; you never need to decrypt the -data in your templates. +:ref:`server-encryption-configuration` for details on configuring +encryption passphrases. The data is decrypted transparently +on-the-fly by the server; you never need to decrypt the data in your +templates. .. note:: @@ -202,43 +202,11 @@ with the other data in the file. Only character content of an element can be encrypted; attribute content and XML elements themselves cannot be encrypted. -To encrypt a file, use ``bcfg2-crypt``, e.g.:: +To encrypt or decrypt a file, use :ref:`bcfg2-crypt`. - bcfg2-crypt foo.xml +See :ref:`server-encryption` for more details on encryption in Bcfg2 +in general. -If the top-level tag of a Properties file is not ``<Properties>``, -then you need to use the ``--properties`` flag to ``bcfg2-crypt``:: - - bcfg2-crypt --properties foo.xml - -The first time you run ``bcfg2-crypt`` on a Properties file, it will -encrypt all character data of all elements. Additionally, it will add -``encrypted="<key name>"`` to each element that has encrypted character -data. It also adds ``encryption="true"`` to the top-level -``<Properties>`` tag as a flag to the server that it should try to -decrypt the data in that file. (If you are using Properties schemas, -you will need to make sure to add support for these attributes.) On -subsequent runs, only those elements flagged with ``encrypted="*"`` -are encrypted or decrypted. - -To decrypt a Properties file, simply re-run ``bcfg2-crypt``:: - - bcfg2-crypt foo.xml - -This decrypts the encrypted elements, but it does *not* remove the -``encrypted`` attribute; this way, you can decrypt a Properties -file, modify the contents, and then simply re-run ``bcfg2-crypt`` to -encrypt it again. If you added elements that you also want to be -encrypted, you can either add the ``encrypted`` attribute to -them manually, or run:: - - bcfg2-crypt --xpath '*' foo.xml - -You can also use the ``--xpath`` option to specify more restrictive -XPath expressions to only encrypt a subset of elements, or to encrypt -different elements with different passphrases. Alternatively, you can -manally set the ``encrypted`` attribute on various elements and -``bcfg2-crypt`` will automatically do the right thing. Accessing Properties contents from TGenshi ========================================== diff --git a/doc/server/plugins/generators/cfg.txt b/doc/server/plugins/generators/cfg.txt index 6c848fddb..2987e21b9 100644 --- a/doc/server/plugins/generators/cfg.txt +++ b/doc/server/plugins/generators/cfg.txt @@ -139,6 +139,8 @@ using different host-specific or group-specific files. For example: Cfg/etc/fstab/fstab.H_host.example.com.genshi Cfg/etc/fstab/fstab.G50_server.cheetah +.. _server-plugins-generators-cfg-encryption: + Encrypted Files =============== @@ -146,7 +148,7 @@ Encrypted Files Bcfg2 allows you to encrypt files stored in ``Cfg/`` to protect the data in them from other people who need access to the repository. See -also :ref:`server-plugins-connectors-properties-encrypted` for +also :ref:`server-plugins-connectors-properties-encryption` for information on encrypting elements in Properties files, which is often more friendly for tracking changes in a VCS. @@ -159,6 +161,9 @@ more friendly for tracking changes in a VCS. single Bcfg2 repository with multiple admins who should not necessarily have access to each other's sensitive data. +See :ref:`server-encryption` for more details on encryption in Bcfg2 +in general. + Encrypting Files ---------------- @@ -175,62 +180,7 @@ either order, e.g.:: Cfg/etc/foo.conf/foo.conf.G10_foo.genshi.crypt Cfg/etc/foo.conf/foo.conf.H_bar.example.com.crypt.cheetah -To encrypt a file, you can use ``bcfg2-crypt``, e.g.:: - - bcfg2-crypt foo.conf - -Once you are satisfied that the file has been encrypted as you wish, -you can remove the plaintext version, or you can use the ``--remove`` -flag of ``bcfg2-crypt``. - -To decrypt a file, simply run ``bcfg2-crypt`` again:: - - bcfg2-crypt foo.conf - -See the ``bcfg2-crypt`` man page for more information. - -``bcfg2-crypt`` simply performs an AES256 encryption, and is -more-or-less equivalent to the following commands (encryption and -decryption, respectively:: - - openssl enc -aes-256-cbc -k <passphrase> -in foo.conf -out foo.conf.crypt -a - openssl enc -d -aes-256-cbc -k <passphrase> -in foo.conf.crypt -out foo.conf -a - -.. _server-plugins-generators-cfg-configuring-encryption: - -Configuring Encryption ----------------------- - -To configure encryption, add a ``[encryption]`` section to -``bcfg2.conf`` with any number of name-passphrase pairs. When -decrypting a file, _all_ passphrases will be tried; the passphrase -name is currently purely cosmetic, but at some point in the future the -ability to give Bcfg2 a "hint" about which passphrase to use will be -added. - -For instance:: - - [encryption] - foo_team=P4ssphr4se - bar_team=Pa55phra5e - -This would define two separate encryption passphrases, presumably for -use by two separate teams. The passphrase names are completely -arbitrary. - -Note that this does entail a chicken-and-egg problem. In order for -the Bcfg2 server to be able to decrypt encrypted files, the -passphrases must exist in ``bcfg2.conf`` in plaintext; but, if you're -encrypting data, presumably you don't want to include those plaintext -passphrases in your Bcfg2 repository, so you'll want to encrypt -``bcfg2.conf``. The best way to solve this is: - -#. On your Bcfg2 server, manually add the ``[encryption]`` section to - ``bcfg2.conf`` and restart the Bcfg2 server. -#. Update ``bcfg2.conf`` in your Bcfg2 repository with the - passphrases, and encrypt it. - -The first (manual) step breaks the mutual dependency. +To encrypt or decrypt a file, use :ref:`bcfg2-crypt`. Deltas ====== diff --git a/src/lib/Bcfg2/Encryption.py b/src/lib/Bcfg2/Encryption.py index 5e70a1d10..5eb7ffe8e 100755 --- a/src/lib/Bcfg2/Encryption.py +++ b/src/lib/Bcfg2/Encryption.py @@ -1,18 +1,37 @@ -#!/usr/bin/python -Ott +""" Bcfg2.Encryption provides a number of convenience methods for +handling encryption in Bcfg2. See :ref:`server-encryption` for more +details. """ import os -import base64 from M2Crypto import Rand from M2Crypto.EVP import Cipher, EVPError -from Bcfg2.Compat import StringIO, md5 +from Bcfg2.Compat import StringIO, md5, b64encode, b64decode +#: Constant representing the encryption operation for +#: :class:`M2Crypto.EVP.Cipher`, which uses a simple integer. This +#: makes our code more readable. ENCRYPT = 1 + +#: Constant representing the decryption operation for +#: :class:`M2Crypto.EVP.Cipher`, which uses a simple integer. This +#: makes our code more readable. DECRYPT = 0 + +#: Default cipher algorithm. To get a full list of valid algorithms, +#: you can run:: +#: +#: openssl list-cipher-algorithms | grep -v ' => ' | \ +#: tr 'A-Z-' 'a-z_' | sort -u ALGORITHM = "aes_256_cbc" + +#: Default initialization vector. For best security, you should use a +#: unique IV for each message. :func:`ssl_encrypt` does this in an +#: automated fashion. IV = '\0' * 16 Rand.rand_seed(os.urandom(1024)) + def _cipher_filter(cipher, instr): inbuf = StringIO(instr) outbuf = StringIO() @@ -27,54 +46,127 @@ def _cipher_filter(cipher, instr): outbuf.close() return rv + def str_encrypt(plaintext, key, iv=IV, algorithm=ALGORITHM, salt=None): - """ encrypt a string """ + """ Encrypt a string with a key. For a higher-level encryption + interface, see :func:`ssl_encrypt`. + + :param plaintext: The plaintext data to encrypt + :type plaintext: string + :param key: The key to encrypt the data with + :type key: string + :param iv: The initialization vector + :type iv: string + :param algorithm: The cipher algorithm to use + :type algorithm: string + :param salt: The salt to use + :type salt: string + :returns: string - The decrypted data + """ cipher = Cipher(alg=algorithm, key=key, iv=iv, op=ENCRYPT, salt=salt) return _cipher_filter(cipher, plaintext) - + + def str_decrypt(crypted, key, iv=IV, algorithm=ALGORITHM): - """ decrypt a string """ + """ Decrypt a string with a key. For a higher-level decryption + interface, see :func:`ssl_decrypt`. + + :param crypted: The raw binary encrypted data + :type crypted: string + :param key: The encryption key to decrypt with + :type key: string + :param iv: The initialization vector + :type iv: string + :param algorithm: The cipher algorithm to use + :type algorithm: string + :returns: string - The decrypted data + """ cipher = Cipher(alg=algorithm, key=key, iv=iv, op=DECRYPT) return _cipher_filter(cipher, crypted) - + + def ssl_decrypt(data, passwd, algorithm=ALGORITHM): - """ decrypt openssl-encrypted data """ + """ Decrypt openssl-encrypted data. This can decrypt data + encrypted by :func:`ssl_encrypt`, or ``openssl enc``. It performs + a base64 decode first if the data is base64 encoded, and + automatically determines the salt and initialization vector (both + of which are embedded in the encrypted data). + + :param data: The encrypted data (either base64-encoded or raw + binary) to decrypt + :type data: string + :param passwd: The password to use to decrypt the data + :type passwd: string + :param algorithm: The cipher algorithm to use + :type algorithm: string + :returns: string - The decrypted data + """ # base64-decode the data if necessary try: - data = base64.b64decode(data) + data = b64decode(data) except TypeError: # already decoded pass - + salt = data[8:16] hashes = [md5(passwd + salt).digest()] - for i in range(1,3): - hashes.append(md5(hashes[i-1] + passwd + salt).digest()) + for i in range(1, 3): + hashes.append(md5(hashes[i - 1] + passwd + salt).digest()) key = hashes[0] + hashes[1] iv = hashes[2] - - return str_decrypt(data[16:], key=key, iv=iv) + + return str_decrypt(data[16:], key=key, iv=iv, algorithm=algorithm) + def ssl_encrypt(plaintext, passwd, algorithm=ALGORITHM, salt=None): - """ encrypt data in a format that is openssl compatible """ + """ Encrypt data in a format that is openssl compatible. + + :param plaintext: The plaintext data to encrypt + :type plaintext: string + :param passwd: The password to use to encrypt the data + :type passwd: string + :param algorithm: The cipher algorithm to use + :type algorithm: string + :param salt: The salt to use. If none is provided, one will be + randomly generated. + :type salt: bytes + :returns: string - The base64-encoded, salted, encrypted string. + The string includes a trailing newline to make it fully + compatible with openssl command-line tools. + """ if salt is None: salt = Rand.rand_bytes(8) - + hashes = [md5(passwd + salt).digest()] - for i in range(1,3): - hashes.append(md5(hashes[i-1] + passwd + salt).digest()) + for i in range(1, 3): + hashes.append(md5(hashes[i - 1] + passwd + salt).digest()) key = hashes[0] + hashes[1] iv = hashes[2] - - crypted = str_encrypt(plaintext, key=key, salt=salt, iv=iv) - return base64.b64encode("Salted__" + salt + crypted) + "\n" + + crypted = str_encrypt(plaintext, key=key, salt=salt, iv=iv, + algorithm=algorithm) + return b64encode("Salted__" + salt + crypted) + "\n" + + +def get_algorithm(setup): + """ Get the cipher algorithm from the config file. This is used + in case someone uses the OpenSSL algorithm name (e.g., + "AES-256-CBC") instead of the M2Crypto name (e.g., "aes_256_cbc"), + and to handle errors in a sensible way and deduplicate this code. + + :param setup: The Bcfg2 option set to extract passphrases from + :type setup: Bcfg2.Options.OptionParser + :returns: dict - a dict of ``<passphrase name>``: ``<passphrase>`` + """ + return setup.cfp.get("encryption", "algorithm", + default=ALGORITHM).lower().replace("-", "_") def get_passphrases(setup): """ Get all candidate encryption passphrases from the config file. :param setup: The Bcfg2 option set to extract passphrases from :type setup: Bcfg2.Options.OptionParser - returns: dict - a dict of <passphrase name>: <passphrase> + :returns: dict - a dict of ``<passphrase name>``: ``<passphrase>`` """ section = "encryption" if setup.cfp.has_section(section): @@ -83,11 +175,13 @@ def get_passphrases(setup): else: return dict() -def bruteforce_decrypt(crypted, passphrases=None, setup=None): + +def bruteforce_decrypt(crypted, passphrases=None, setup=None, + algorithm=ALGORITHM): """ Convenience method to decrypt the given encrypted string by trying the given passphrases or all passphrases (as returned by - :func:`Bcfg2.Encryption.passphrases`) sequentially until one is - found that works. + :func:`get_passphrases`) sequentially until one is found that + works. Either ``passphrases`` or ``setup`` must be provided. @@ -97,6 +191,8 @@ def bruteforce_decrypt(crypted, passphrases=None, setup=None): :type passphrases: list :param setup: A Bcfg2 option set to extract passphrases from :type setup: Bcfg2.Options.OptionParser + :param algorithm: The cipher algorithm to use + :type algorithm: string :returns: string - The decrypted data :raises: :class:`M2Crypto.EVP.EVPError`, if the data cannot be decrypted """ @@ -104,8 +200,7 @@ def bruteforce_decrypt(crypted, passphrases=None, setup=None): passphrases = get_passphrases(setup).values() for passwd in passphrases: try: - return ssl_decrypt(crypted, passwd) + return ssl_decrypt(crypted, passwd, algorithm=algorithm) except EVPError: pass raise EVPError("Failed to decrypt") - diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedCheetahGenerator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedCheetahGenerator.py index 3e714c01f..9eed633c4 100644 --- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedCheetahGenerator.py +++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedCheetahGenerator.py @@ -2,12 +2,14 @@ .cheetah.crypt files)""" from Bcfg2.Server.Plugins.Cfg.CfgCheetahGenerator import CfgCheetahGenerator -from Bcfg2.Server.Plugins.Cfg.CfgEncryptedGenerator import CfgEncryptedGenerator +from Bcfg2.Server.Plugins.Cfg.CfgEncryptedGenerator \ + import CfgEncryptedGenerator + class CfgEncryptedCheetahGenerator(CfgCheetahGenerator, CfgEncryptedGenerator): """ CfgEncryptedCheetahGenerator lets you encrypt your Cheetah :ref:`server-plugins-generators-cfg` files on the server """ - + #: handle .crypt.cheetah or .cheetah.crypt files __extensions__ = ['cheetah.crypt', 'crypt.cheetah'] diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py index 71e407d17..f8d08b394 100644 --- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py +++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenerator.py @@ -2,15 +2,17 @@ :ref:`server-plugins-generators-cfg` files on the server. """ import logging -import Bcfg2.Server.Plugin +from Bcfg2.Server.Plugin import PluginExecutionError from Bcfg2.Server.Plugins.Cfg import CfgGenerator, SETUP try: - from Bcfg2.Encryption import bruteforce_decrypt, EVPError - have_crypto = True + from Bcfg2.Encryption import bruteforce_decrypt, EVPError, \ + get_algorithm + HAS_CRYPTO = True except ImportError: - have_crypto = False + HAS_CRYPTO = False + +LOGGER = logging.getLogger(__name__) -logger = logging.getLogger(__name__) class CfgEncryptedGenerator(CfgGenerator): """ CfgEncryptedGenerator lets you encrypt your plaintext @@ -21,10 +23,10 @@ class CfgEncryptedGenerator(CfgGenerator): def __init__(self, fname, spec, encoding): CfgGenerator.__init__(self, fname, spec, encoding) - if not have_crypto: - msg = "Cfg: M2Crypto is not available: %s" % entry.get("name") - logger.error(msg) - raise Bcfg2.Server.Plugin.PluginExecutionError(msg) + if not HAS_CRYPTO: + msg = "Cfg: M2Crypto is not available" + LOGGER.error(msg) + raise PluginExecutionError(msg) __init__.__doc__ = CfgGenerator.__init__.__doc__ def handle_event(self, event): @@ -35,19 +37,20 @@ class CfgEncryptedGenerator(CfgGenerator): except UnicodeDecodeError: crypted = open(self.name, mode='rb').read() except: - logger.error("Failed to read %s" % self.name) + LOGGER.error("Failed to read %s" % self.name) return # todo: let the user specify a passphrase by name try: - self.data = bruteforce_decrypt(crypted, setup=SETUP) + self.data = bruteforce_decrypt(crypted, setup=SETUP, + algorithm=get_algorithm(SETUP)) except EVPError: msg = "Failed to decrypt %s" % self.name - logger.error(msg) - raise Bcfg2.Server.Plugin.PluginExecutionError(msg) + LOGGER.error(msg) + raise PluginExecutionError(msg) handle_event.__doc__ = CfgGenerator.handle_event.__doc__ def get_data(self, entry, metadata): if self.data is None: - raise Bcfg2.Server.Plugin.PluginExecutionError("Failed to decrypt %s" % self.name) + raise PluginExecutionError("Failed to decrypt %s" % self.name) return CfgGenerator.get_data(self, entry, metadata) get_data.__doc__ = CfgGenerator.get_data.__doc__ diff --git a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenshiGenerator.py b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenshiGenerator.py index 0d5d98ba6..6fd70e69f 100644 --- a/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenshiGenerator.py +++ b/src/lib/Bcfg2/Server/Plugins/Cfg/CfgEncryptedGenshiGenerator.py @@ -1,15 +1,17 @@ """ Handle encrypted Genshi templates (.crypt.genshi or .genshi.crypt files) """ +import logging from Bcfg2.Compat import StringIO +from Bcfg2.Server.Plugin import PluginExecutionError +from Bcfg2.Server.Plugins.Cfg import SETUP from Bcfg2.Server.Plugins.Cfg.CfgGenshiGenerator import CfgGenshiGenerator -from Bcfg2.Server.Plugins.Cfg.CfgEncryptedGenerator import CfgEncryptedGenerator try: - from Bcfg2.Encryption import bruteforce_decrypt + from Bcfg2.Encryption import bruteforce_decrypt, get_algorithm + HAS_CRYPTO = True except ImportError: - # CfgGenshiGenerator will raise errors if crypto doesn't exist - pass + HAS_CRYPTO = False try: from genshi.template import TemplateLoader @@ -17,21 +19,25 @@ except ImportError: # CfgGenshiGenerator will raise errors if genshi doesn't exist TemplateLoader = object +LOGGER = logging.getLogger(__name__) + class EncryptedTemplateLoader(TemplateLoader): """ Subclass :class:`genshi.template.TemplateLoader` to decrypt the data on the fly as it's read in using :func:`Bcfg2.Encryption.bruteforce_decrypt` """ def _instantiate(self, cls, fileobj, filepath, filename, encoding=None): - plaintext = StringIO(bruteforce_decrypt(fileobj.read())) + plaintext = \ + StringIO(bruteforce_decrypt(fileobj.read(), + algorithm=get_algorithm(SETUP))) return TemplateLoader._instantiate(self, cls, plaintext, filepath, filename, encoding=encoding) - + class CfgEncryptedGenshiGenerator(CfgGenshiGenerator): """ CfgEncryptedGenshiGenerator lets you encrypt your Genshi :ref:`server-plugins-generators-cfg` files on the server """ - + #: handle .crypt.genshi or .genshi.crypt files __extensions__ = ['genshi.crypt', 'crypt.genshi'] @@ -39,3 +45,9 @@ class CfgEncryptedGenshiGenerator(CfgGenshiGenerator): #: when it's read in __loader_cls__ = EncryptedTemplateLoader + def __init__(self, fname, spec, encoding): + CfgGenshiGenerator.__init__(self, fname, spec, encoding) + if not HAS_CRYPTO: + msg = "Cfg: M2Crypto is not available" + LOGGER.error(msg) + raise PluginExecutionError(msg) diff --git a/src/lib/Bcfg2/Server/Plugins/Properties.py b/src/lib/Bcfg2/Server/Plugins/Properties.py index 1b925ce46..590d536a9 100644 --- a/src/lib/Bcfg2/Server/Plugins/Properties.py +++ b/src/lib/Bcfg2/Server/Plugins/Properties.py @@ -5,46 +5,50 @@ import copy import logging import lxml.etree import Bcfg2.Server.Plugin +from Bcfg2.Server.Plugin import PluginExecutionError try: from Bcfg2.Encryption import ssl_decrypt, get_passphrases, \ - bruteforce_decrypt, EVPError - have_crypto = True + get_algorithm, bruteforce_decrypt, EVPError + HAS_CRYPTO = True except ImportError: - have_crypto = False + HAS_CRYPTO = False -logger = logging.getLogger(__name__) +LOGGER = logging.getLogger(__name__) SETUP = None class PropertyFile(Bcfg2.Server.Plugin.StructFile): - """Class for properties files.""" + """ Class for properties files. """ + def write(self): """ Write the data in this data structure back to the property file """ if not SETUP.cfp.getboolean("properties", "writes_enabled", default=True): - msg = "Properties files write-back is disabled in the configuration" - logger.error(msg) - raise Bcfg2.Server.Plugin.PluginExecutionError(msg) + msg = "Properties files write-back is disabled in the " + \ + "configuration" + LOGGER.error(msg) + raise PluginExecutionError(msg) try: self.validate_data() - except Bcfg2.Server.Plugin.PluginExecutionError: + except PluginExecutionError: msg = "Cannot write %s: %s" % (self.name, sys.exc_info()[1]) - logger.error(msg) - raise Bcfg2.Server.Plugin.PluginExecutionError(msg) + LOGGER.error(msg) + raise PluginExecutionError(msg) try: open(self.name, - "wb").write(lxml.etree.tostring(self.xdata, - xml_declaration=False, - pretty_print=True).decode('UTF-8')) + "wb").write( + lxml.etree.tostring(self.xdata, + xml_declaration=False, + pretty_print=True).decode('UTF-8')) return True except IOError: err = sys.exc_info()[1] msg = "Failed to write %s: %s" % (self.name, err) - logger.error(msg) - raise Bcfg2.Server.Plugin.PluginExecutionError(msg) + LOGGER.error(msg) + raise PluginExecutionError(msg) def validate_data(self): """ ensure that the data in this object validates against the @@ -55,31 +59,34 @@ class PropertyFile(Bcfg2.Server.Plugin.StructFile): schema = lxml.etree.XMLSchema(file=schemafile) except: err = sys.exc_info()[1] - raise Bcfg2.Server.Plugin.PluginExecutionError("Failed to process schema for %s: %s" % (self.name, err)) + raise PluginExecutionError("Failed to process schema for %s: " + "%s" % (self.name, err)) else: # no schema exists return True if not schema.validate(self.xdata): - raise Bcfg2.Server.Plugin.PluginExecutionError("Data for %s fails to validate; run bcfg2-lint for more details" % self.name) + raise PluginExecutionError("Data for %s fails to validate; run " + "bcfg2-lint for more details" % + self.name) else: return True def Index(self): Bcfg2.Server.Plugin.StructFile.Index(self) if self.xdata.get("encryption", "false").lower() != "false": - if not have_crypto: + if not HAS_CRYPTO: msg = "Properties: M2Crypto is not available: %s" % self.name - logger.error(msg) - raise Bcfg2.Server.Plugin.PluginExecutionError(msg) + LOGGER.error(msg) + raise PluginExecutionError(msg) for el in self.xdata.xpath("//*[@encrypted]"): try: el.text = self._decrypt(el) except EVPError: msg = "Failed to decrypt %s element in %s" % (el.tag, self.name) - logger.error(msg) - raise Bcfg2.Server.PluginExecutionError(msg) + LOGGER.error(msg) + raise PluginExecutionError(msg) def _decrypt(self, element): if not element.text.strip(): @@ -88,14 +95,18 @@ class PropertyFile(Bcfg2.Server.Plugin.StructFile): try: passphrase = passes[element.get("encrypted")] try: - return ssl_decrypt(element.text, passphrase) + return ssl_decrypt(element.text, passphrase, + algorithm=get_algorithm(SETUP)) except EVPError: # error is raised below pass except KeyError: - return bruteforce_decrypt(element.text, passphrases=passes.values()) + return bruteforce_decrypt(element.text, + passphrases=passes.values(), + algorithm=get_algorithm(SETUP)) raise EVPError("Failed to decrypt") + class PropDirectoryBacked(Bcfg2.Server.Plugin.DirectoryBacked): __child__ = PropertyFile patterns = re.compile(r'.*\.xml$') diff --git a/src/sbin/bcfg2-crypt b/src/sbin/bcfg2-crypt index 1af1771cf..bae4ad8ef 100755 --- a/src/sbin/bcfg2-crypt +++ b/src/sbin/bcfg2-crypt @@ -125,7 +125,9 @@ class Encryptor(object): return self.unchunk(crypted, plaintext) def _encrypt(self, plaintext, passphrase, name=None): - return Bcfg2.Encryption.ssl_encrypt(plaintext, passphrase) + return Bcfg2.Encryption.ssl_encrypt( + plaintext, passphrase, + Bcfg2.Encryption.get_algorithm(self.setup)) def decrypt(self, fname): try: @@ -198,8 +200,8 @@ class Encryptor(object): return True except IOError: err = sys.exc_info()[1] - self.logger.error("Error writing encrypted data from %s to %s: %s" % - (fname, new_fname, err)) + self.logger.error("Error writing encrypted data from %s to %s: %s" + % (fname, new_fname, err)) return False except EncryptionChunkingError: err = sys.exc_info()[1] @@ -217,8 +219,8 @@ class Encryptor(object): return True except IOError: err = sys.exc_info()[1] - self.logger.error("Error writing encrypted data from %s to %s: %s" % - (fname, new_fname, err)) + self.logger.error("Error writing encrypted data from %s to %s: %s" + % (fname, new_fname, err)) return False def get_passphrase(self, chunk): @@ -248,7 +250,9 @@ class Encryptor(object): return None def _decrypt(self, crypted, passphrase): - return Bcfg2.Encryption.ssl_decrypt(crypted, passphrase) + return Bcfg2.Encryption.ssl_decrypt( + crypted, passphrase, + Bcfg2.Encryption.get_algorithm(self.setup)) class CfgEncryptor(Encryptor): @@ -268,8 +272,10 @@ class PropertiesEncryptor(Encryptor): if name is None: name = "true" if plaintext.text and plaintext.text.strip(): - plaintext.text = Bcfg2.Encryption.ssl_encrypt(plaintext.text, - passphrase).strip() + plaintext.text = Bcfg2.Encryption.ssl_encrypt( + plaintext.text, + passphrase, + Bcfg2.Encryption.get_algorithm(self.setup)).strip() plaintext.set("encrypted", name) return plaintext @@ -334,8 +340,10 @@ class PropertiesEncryptor(Encryptor): if not crypted.text or not crypted.text.strip(): self.logger.warning("Skipping empty element %s" % crypted.tag) return crypted - crypted.text = Bcfg2.Encryption.ssl_decrypt(crypted.text, - passphrase).strip() + crypted.text = Bcfg2.Encryption.ssl_decrypt( + crypted.text, + passphrase, + Bcfg2.Encryption.get_algorithm(self.setup)).strip() return crypted @@ -419,8 +427,8 @@ def main(): "ignoring for this file" % fname) else: if setup['xpath']: - logger.info("Cannot use xpath with Cfg file %s, ignoring xpath " - "for this file" % fname) + logger.info("Cannot use xpath with Cfg file %s, ignoring " + "xpath for this file" % fname) if setup['interactive']: logger.info("Cannot use interactive mode with Cfg file %s, " "ignoring -I for this file" % fname) @@ -449,6 +457,7 @@ def main(): data = xform(fname) if not data: print("Failed to %s %s, skipping" % (xform.__name__, fname)) + continue if setup['crypt_stdout']: if len(setup['args']) > 1: print("----- %s -----" % fname) @@ -458,7 +467,8 @@ def main(): else: write(fname, data=data) - if setup['remove'] and encryptor.get_encrypted_filename(fname) != fname: + if (setup['remove'] and + encryptor.get_encrypted_filename(fname) != fname): try: os.unlink(fname) except IOError: |